Cybersecurity researchers have brought to light a new wave of cyberespionage activity in which government networks across parts of Asia were quietly compromised using an upgraded version of the ToneShell backdoor. What sets this campaign apart is the method used to hide the malware. Instead of relying solely on user-level tools, the attackers deployed a kernel-mode component that operates deep within the Windows operating system, allowing the intrusion to remain largely invisible.
The activity has been linked with high confidence to a China-aligned cyberespionage group that has a long history of targeting government agencies, policy institutions, non-governmental organizations, and research bodies. Investigators say the campaign reflects a continued focus on long-term intelligence collection rather than short-lived attacks.
The findings come from an investigation by Kaspersky, which identified malicious system drivers on compromised machines in countries including Myanmar and Thailand. Evidence suggests the campaign has been active since at least February 2025. In several cases, the affected systems had previously been infected with older espionage tools tied to the same threat ecosystem, indicating that access was maintained and expanded over time.
At the centre of the operation is a malicious kernel-mode driver disguised as a legitimate system component. The driver is digitally signed using an older certificate that appears to have been improperly reused, helping it avoid immediate suspicion dur
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: